Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,957
Maven
5,000+
npm
4,607
NuGet
787
pip
4,306
Pub
12
RubyGems
984
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

25,978 advisories

Loading
cap-go/capacitor-native-biometric Authentication Bypass Moderate
GHSA-vx5f-vmr6-32wf was published for @capgo/capacitor-native-biometric (npm) Feb 10, 2026
itz-d0dgy-2nd
Credited to itz-d0dgy-2nd
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service High
CVE-2026-25577 was published for emmett-core (pip) Feb 10, 2026
Ryu-GeonWoo
Credited to Ryu-GeonWoo
Apache Druid Vulnerable to Authentication Bypass Critical
CVE-2026-23906 was published for org.apache.druid.extensions:druid-basic-security (Maven) Feb 10, 2026
Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability Low
CVE-2026-23901 was published for org.apache.shiro:shiro-core (Maven) Feb 10, 2026
Cube Core is vulnerable to Denial of Service (DoS) via crafted request Moderate
CVE-2026-25957 was published for @cubejs-backend/server-core (npm) Feb 10, 2026
ovr
Credited to ovr
Cube Core is vulnerable to privilege escalation via a specially crafted request High
CVE-2026-25958 was published for @cubejs-backend/server-core (npm) Feb 10, 2026
ovr
Credited to ovr
FUXA Affected by a Path Traversal Sanitization Bypass High
CVE-2026-25951 was published for fuxa-server (npm) Feb 10, 2026
h1dr1
Credited to h1dr1
go-git improperly verifies data integrity values for .idx and .pack files Moderate
CVE-2026-25934 was published for github.com/go-git/go-git/v5 (Go) Feb 10, 2026
N0zoM1z0
Credited to N0zoM1z0
FUXA Unauthenticated Remote Arbitrary Scheduler Write Critical
CVE-2026-25939 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
amphp/http-server affected by HTTP/2 DDoS vulnerability Moderate
GHSA-8grv-jq2g-cfhw was published for amphp/http-server (Composer) Feb 10, 2026
galbarnahum
Credited to galbarnahum
unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command) Moderate
CVE-2026-25918 was published for @rage-against-the-pixel/unity-cli (npm) Feb 10, 2026
Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint High
CVE-2026-25892 was published for vrana/adminer (Composer) Feb 10, 2026
JoyGhoshs
Credited to JoyGhoshs
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL High
CVE-2026-25890 was published for github.com/filebrowser/filebrowser/v2 (Go) Feb 10, 2026
Fluxmux hacdias
Credited to Fluxmux and hacdias
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) Critical
CVE-2026-25881 was published for @nyariv/sandboxjs (npm) Feb 10, 2026
k14uz
Credited to k14uz
File Browser has an Authentication Bypass in User Password Update Moderate
CVE-2026-25889 was published for github.com/filebrowser/filebrowser/v2 (Go) Feb 10, 2026
dogadmin hacdias
Credited to dogadmin and hacdias
FroshAdminer Adminer UI is accessible without admin session Moderate
CVE-2026-25878 was published for frosh/adminer-platform (Composer) Feb 10, 2026
xndrdev Gugiman
Credited to xndrdev and Gugiman
Bitcoinrb Vulnerable to Command injection via RPC Low
GHSA-q66h-m87m-j2q6 was published for bitcoinrb (RubyGems) Feb 10, 2026
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService Moderate
CVE-2025-14778 was published for org.keycloak:keycloak-services (Maven) Feb 9, 2026
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url Moderate
CVE-2026-25765 was published for faraday (RubyGems) Feb 9, 2026
theamanrawat neo-ai-engineer
Credited to theamanrawat and neo-ai-engineer
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection Moderate
CVE-2026-25528 was published for langsmith (npm) Feb 9, 2026
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior High
CVE-2026-25498 was published for craftcms/cms (Composer) Feb 9, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Craft CMS: GraphQL Asset Mutation Privilege Escalation High
CVE-2026-25497 was published for craftcms/cms (Composer) Feb 9, 2026
vitalysim
Credited to vitalysim
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields Moderate
CVE-2026-25496 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]` High
CVE-2026-25495 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am
Credited to mHe4am
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database